Update on CVE-2014-0160, aka “Heartbleed”

Reposting official announcement on behalf of Robyn Bergeron:

Hello again, Fedora community.

This is an update on Fedora’s response to CVE-2014-0160 (aka “Heartbleed”). This is a critical security vulnerability that requires your immediate attention.

Updates are now available, and are being pushed to our mirror network. The update announcements for Fedora 19 and Fedora 20 are available at:

Apply updates with

    sudo yum upgrade openssl openssl-libs

or with your graphical package manager.

After applying the update, please make sure to restart all services which use OpenSSL. You may find it easiest to simply restart your system. However, if you prefer, you may restart any affected services manually. You can get an overview of programs that need to be restarted by using the command line tool

    sudo needs-restarting

(This is included in the yum-utils package.) Restart all listed programs until the output of needs-restarting is empty.

The Fedora Cloud images linked at https://fedoraproject.org/en/get-fedora#cloud have been recreated with the updated packages preinstalled.

Fixes have been applied to servers used in Fedora infrastructure and we are investigating any further remediation which may be necessary.

Special thanks to Robert Mayr, Kévin Raymond, Dennis Gilmore, Matthew Miller, Paul Frields, Major Hayden, Kurt Seifried, Kevin Fenzi, William Brown, Nick Bebout, Adam Williamson, Joachim Backes, Pádraig Brady, Lokesh Mandvekar, David Strauss, Joop Braak, Michael Cronenworth, Till Maas, Luke Macken, and others for effort in making these updates available quickly.

– Robyn Bergeron

Fedora Project community

8 Comments

  1. I was eagerly waiting for this upgrade. A lot of thanks!

  2. mike

    I’m Using fc19 and running command
    ‘openssl version’ I see
    OpenSSL 1.0.1e-fips 11 Feb 2013

    I guess the question is, how do I know for sure vulnerability. reading at http://heartbleed.com/ they suggest 1.0.1g is the level folks need to be at.

    • Eugene

      You can check the changelog of a package to see if a specific vulnerability fix was backported:

      sudo rpm -q –changelog openssl | head -n 3
      * Mon Apr 07 2014 Tomáš Mráz 1.0.1e-16.7
      – fix CVE-2014-0160 – information disclosure in TLS heartbeat extensio

      • Anonymously

        Thx for the tip, I also had the same question. Another question I have is: how often do Fedora maintainers update *important* packages like this one? I realize the answer may vary, but I’d feel slightly more secure if it were more often than not.

    • Till

      You can check with rpm, it should show you whether your package contains the fix. An easy to verify indication is the changelog of openssl-libs:

      $ rpm --changelog -q openssl-libs | grep CVE-2014-0160
      - pull in upstream patch for CVE-2014-0160
  3. sean darcy

    fedora really needs to move to 1.0.1g. I realize rh has patched 1.0.1e, but many of our customers are following the general advice not to connect to any openssl < 1.0.1g. This is a real pain, given all the paranoia around, many people aren't interested in a discussion about patches, some even have now a corporate policy.

    • Josh

      I agree with Sean. There is no indication that this is a patched version. If you do openssl version you get,

      OpenSSL 1.0.1e-fips 11 Feb 2013

      The right thing to do is to release a 1.0.1g version or at the very least bump the version date to April 2014

      • Of course, the new version might introduce new flaws. Fun all around. Use rpm -q --changelog openssl | less to see the changelog, where it is clearly noted that the vulnerability is patched.

        But most importantly, you’re really talking to the wrong people in comments here; https://bugzilla.redhat.com/show_bug.cgi?id=1049231 is the tracking bug (although, a huge amount of chatter there will just be distracting to the package maintainer rather than helpful, so don’t overdo it)….

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions

%d bloggers like this: